Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

deps: upgrade npm to 11.0.0 #56274

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Conversation

npm-cli-bot
Copy link
Contributor

11.0.0 (2024-12-16)

Documentation

Dependencies

Chores

@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/security-wg

@nodejs-github-bot nodejs-github-bot added fast-track PRs that do not need to wait for 48 hours to land. needs-ci PRs that need a full CI run. npm Issues and PRs related to the npm client dependency or the npm registry. labels Dec 16, 2024
Copy link
Contributor

Fast-track has been requested by @nodejs-github-bot. Please 👍 to approve.

@wraithgar
Copy link

wraithgar commented Dec 16, 2024

Breaking change list

  • npm now supports node ^20.17.0 || >=22.9.0
  • Upon publishing, in order to apply a default "latest" dist tag, the command now retrieves all prior versions of the package. It will require that the version you're trying to publish is above the latest semver version in the registry, not including pre-release tags.
  • When publishing a package with a pre-release version, you must explicitly specify a tag.
  • npm init now has a type prompt, and sorts the entries the created packages differently
  • The npm hook command has been removed
  • Attestations made by this package will no longer validate in npm versions prior to 10.6.0
  • bun.lockb files are now included in the strict ignore list during packing
  • --ignore-scripts now applies to all lifecycle scripts, include prepare
  • npm will no longer fall back to the old audit endpoint if the bulk advisory request fails.
  • npm will no longer switch to global mode if aliased to "npmg" or "npm-g" etc.

@wraithgar
Copy link

Just so we are clear, this is a breaking change! This should not be backported to node 22 (at least not without a good discussion first).

@ljharb ljharb added semver-major PRs that contain breaking changes and should be released in the next major version. dont-land-on-v18.x PRs that should not land on the v18.x-staging branch and should not be released in v18.x. dont-land-on-v20.x PRs that should not land on the v20.x-staging branch and should not be released in v20.x. dont-land-on-v22.x PRs that should not land on the v22.x-staging branch and should not be released in v22.x. dont-land-on-v23.x PRs that should not land on the v23.x-staging branch and should not be released in v23.x. labels Dec 16, 2024
@wraithgar
Copy link

Why don't land on v23? I thought that's where breaking changes landed.

@ljharb
Copy link
Member

ljharb commented Dec 16, 2024

I might be wrong, but v23 is already released, and main is v24, and breaking changes to non-experimental things can't land in an existing major. Anyone is of course free to remove the label if my understanding is correct.

@wraithgar
Copy link

Based on past discussions:

It was only "LTS" that was the concern.

Additionally, given the "integrating with node" outline, nothing in this release breaks anything in that list.

@ljharb ljharb removed the dont-land-on-v23.x PRs that should not land on the v23.x-staging branch and should not be released in v23.x. label Dec 16, 2024
@richardlau
Copy link
Member

Why don't land on v23? I thought that's where breaking changes landed.

No, 23 follows semver like all Node.js releases. The odd releases have much shorter life times than the even ones, that become LTS. It's been a long-standing mismatch between npm's release policy and Node.js' policy and the compromise, in all of those linked issues, is that we would take a semver major npm version during a release line if it could be demonstrated that the breaking changes were not breaking to users.

@wraithgar
Copy link

👍 ok thanks for the clarification. We'll let you decide how far back to backport this.

The only things this will affect for folks running npm install would be:

  • folks who are using it with --ignore-scripts but also still expecting prepare to run (i.e. with git dependencies)
  • folks who somehow have a server they are using that supports its own audit endpoint, but only the fallback one
  • folks who have a (useless) bun.lockb file they are expecting to show up in their published package

@ljharb
Copy link
Member

ljharb commented Dec 16, 2024

Of those three, only the first one seems even remotely likely to be a concern, and a pretty unlikely one at that.

@aduh95 aduh95 added request-ci Add this label to start a Jenkins CI on a PR. author ready PRs that have at least one approval, no pending requests for changes, and a CI started. and removed fast-track PRs that do not need to wait for 48 hours to land. dont-land-on-v18.x PRs that should not land on the v18.x-staging branch and should not be released in v18.x. dont-land-on-v20.x PRs that should not land on the v20.x-staging branch and should not be released in v20.x. dont-land-on-v22.x PRs that should not land on the v22.x-staging branch and should not be released in v22.x. labels Dec 17, 2024
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Dec 17, 2024
@nodejs-github-bot
Copy link
Collaborator

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
author ready PRs that have at least one approval, no pending requests for changes, and a CI started. needs-ci PRs that need a full CI run. npm Issues and PRs related to the npm client dependency or the npm registry. semver-major PRs that contain breaking changes and should be released in the next major version.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants